Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

adfly (other adfly site alternatives) popups / redirecting my browser


  • This topic is locked This topic is locked
11 replies to this topic

#1 NairyHipple

NairyHipple

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 22 January 2017 - 05:03 AM

I think this has been quite a common issue now. I've been searching the web endlessly for a solution, did try every possible solution... Installed an unbelievable number of anti-malware programs and also rkill, etc, but still... nothing new (says my system is clean). I keep getting redirected to ads and random sites with every click on my browser. It's useless trying to do it on my own so I thought I'd rather post in a forum where someone could help me with this as I'm not a computer savvy much. Hopefully, someone does because it's really annoying (af). HELP!!


Edited by NairyHipple, 22 January 2017 - 07:50 AM.


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:14 AM

Posted 22 January 2017 - 12:31 PM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(it takes a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:





createsrpoint;
filesrcm; 
uninstall-list;
iedefaults;
ffdefaults;
chrdefaults;
emptyclsid;
emptyalltemp;
autoclean;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Copy and paste the log to your next reply please.
 

***


:step3: Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.




***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 NairyHipple

NairyHipple
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 22 January 2017 - 01:51 PM

Hey, Jo! Thanks for your prompt response!! So here are the things you required:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(checkup.txt)
 
Results of screen317's Security Check version 1.014 --- 12/23/15  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Windows Defender        
Bitdefender Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Zemana AntiMalware    
 Adobe Reader 10.1.3 Adobe Reader out of Date!  
 Google Chrome (55.0.2883.87) 
 Google Chrome (SetupMetrics...) 
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe 
 Zemana AntiMalware ZAM.exe   
 Bitdefender Bitdefender 2017 vsserv.exe  
 Bitdefender Bitdefender Device Management DevMgmtService.exe  
 Bitdefender Agent ProductAgentService.exe   
 Bitdefender Bitdefender 2017 updatesrv.exe  
 Windows Defender MSASCuiL.exe   
 Bitdefender Bitdefender 2017 bdagent.exe  
 Bitdefender Bitdefender 2017 bdwtxcr.exe  
 Bitdefender Bitdefender 2017 bdwtxag.exe  
 Bitdefender Bitdefender 2017 seccenter.exe  
 Bitdefender Bitdefender Device Management dmiface.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(FRST.txt)
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-01-2017
Ran by omark (administrator) on DESKTOP-77APQ4O (22-01-2017 19:59:54)
Running from C:\Users\omark\Downloads
Loaded Profiles: omark (Available Profiles: defaultuser0 & omark)
Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2017\vsserv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.10\AsusFanControlService.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe
() C:\Program Files\Everything\Everything.exe
() C:\Windows\System32\PnkBstrA.exe
(Bitdefender) C:\Program Files\Bitdefender Agent\ProductAgentService.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2017\updatesrv.exe
(Wondershare) C:\Program Files (x86)\Wondershare\WAF\2.3.1.1\WsAppService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
() C:\Windows\DAODx.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(Microsoft Corporation) C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Electronic Arts) E:\Games\(Origin)\Origin\Origin.exe
() C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2017\bdagent.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2017\bdwtxag.exe
() E:\Games\(Origin)\Origin\QtWebEngineProcess.exe
() E:\Games\(Origin)\Origin\QtWebEngineProcess.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\PING.EXE
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2017\seccenter.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Device Management\dmiface.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
() C:\Users\omark\Downloads\zoek.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6827664 2012-08-07] (Realtek Semiconductor)
HKLM\...\Run: [StartCN] => C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [8027016 2016-09-16] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-07-16] (Microsoft Corporation)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14122736 2017-01-18] (Zemana Ltd.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-04] (Adobe Systems Incorporated)
HKU\S-1-5-21-3043529976-417534618-3113873037-1001\...\Run: [EADM] => E:\Games\(Origin)\Origin\Origin.exe [3044848 2017-01-20] (Electronic Arts)
ShellIconOverlayIdentifiers: [   IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2015-08-14] (Tonec Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TP-LINK Wireless Configuration Utility.lnk [2017-01-07]
ShortcutTarget: TP-LINK Wireless Configuration Utility.lnk -> C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe ()
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 5.196.39.62 8.8.4.4
Tcpip\..\Interfaces\{c9dd9edf-2b38-488c-acfb-7a7edbf02bda}: [DhcpNameServer] 5.196.39.62 8.8.4.4
 
Internet Explorer:
==================
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2016-11-09] (Internet Download Manager, Tonec Inc.)
BHO: Bitdefender Wallet  -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender 2017\pmbxie.dll [2017-01-22] (Bitdefender)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2016-11-09] (Internet Download Manager, Tonec Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-04-04] (Adobe Systems Incorporated)
BHO-x32: Bitdefender Wallet -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender 2017\Antispam32\pmbxie.dll [2017-01-22] (Bitdefender)
Toolbar: HKLM - Bitdefender Wallet  - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2017\pmbxie.dll [2017-01-22] (Bitdefender)
Toolbar: HKLM-x32 - Bitdefender Wallet - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2017\Antispam32\pmbxie.dll [2017-01-22] (Bitdefender)
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [bdwteffv20@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2017\antispam32\bdwteff
FF Extension: (Bitdefender Wallet) - C:\Program Files\Bitdefender\Bitdefender 2017\antispam32\bdwteff [2017-01-22]
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2017\bdtbext
FF Extension: (Bitdefender Antispam Toolbar) - C:\Program Files\Bitdefender\Bitdefender 2017\bdtbext [2016-12-13] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [bdwteffv20@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2017\antispam32\bdwteff
FF HKLM-x32\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2017\bdtbext
FF HKU\S-1-5-21-3043529976-417534618-3113873037-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi [2016-10-11]
FF HKU\S-1-5-21-3043529976-417534618-3113873037-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\omark\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\omark\AppData\Roaming\IDM\idmmzcc5 [2017-01-22] [not signed]
FF Plugin-x32: @esn/esnlaunch,version=2.3.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.0\npesnlaunch.dll [2013-09-16] (ESN Social Software AB)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2017-01-22] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2017-01-22] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-04-04] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxps://www.google.com/webhp?hl=en
CHR StartupUrls: Default -> "hxxps://www.google.com/webhp?hl=en"
CHR DefaultSearchKeyword: Default -> google.com.eg_
CHR Profile: C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default [2017-01-22]
CHR Extension: (Google Drive) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-01-07]
CHR Extension: (Turn Off the Lights) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbmjmiodbnnpllbbbfblcplfjjepjdn [2017-01-19]
CHR Extension: (Poper Blocker) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkbcggnhapdmkeljlodobbkopceiche [2017-01-21]
CHR Extension: (YouTube) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-01-07]
CHR Extension: (Background Image for Google™ Homepage) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\cedihplmdadkgmhdlblolekfbpghnppa [2017-01-21]
CHR Extension: (Image Downloader) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnpniohnfphhjihaiiggeabnkjhpaldj [2017-01-21]
CHR Extension: (Bitdefender Wallet) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\gannpgaobkkhmpomoijebaigcapoeebl [2017-01-20]
CHR Extension: (AdBlock) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-01-07]
CHR Extension: (Little Alchemy) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\knkapnclbofjjgicpkfoagdjohlfjhpd [2017-01-21]
CHR Extension: (IDM Integration Module) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngpampappnmepgilojfohadhhmbhlaek [2017-01-07]
CHR Extension: (Chrome Web Store Payments) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
CHR Extension: (Hover Zoom+) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pccckmaobkjjboncdfnnofkonhgpceea [2017-01-21]
CHR Extension: (Gmail) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-01-07]
CHR Extension: (Chrome Media Router) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-07]
CHR Extension: (Audio Cutter) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\plimnkafgoiilijmlbnfoafihjjijbfp [2017-01-21]
CHR Extension: (Canvas Rider) - C:\Users\omark\AppData\Local\Google\Chrome\User Data\Default\Extensions\poknhlcknimnnbfcombaooklofipaibk [2017-01-21]
CHR Profile: C:\Users\omark\AppData\Local\Google\Chrome\User Data\Profile 1 [2017-01-21]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2016-11-11]
CHR HKLM-x32\...\Chrome\Extension: [gannpgaobkkhmpomoijebaigcapoeebl] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2016-11-11]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2012-06-01] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [951936 2012-06-01] (ASUSTeK Computer Inc.)
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [149120 2012-02-17] (ASUSTeK Computer Inc.)
R2 AsusFanControlService; C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.10\AsusFanControlService.exe [1475744 2012-05-25] (ASUSTeK Computer Inc.)
R2 DevMgmtService; C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe [100448 2016-11-29] (Bitdefender)
R2 Everything; C:\Program Files\Everything\Everything.exe [1441792 2014-08-06] () [File not signed]
S3 Origin Client Service; E:\Games\(Origin)\Origin\OriginClientService.exe [2119176 2017-01-20] (Electronic Arts)
S2 Origin Web Helper Service; E:\Games\(Origin)\Origin\OriginWebHelperService.exe [2181648 2017-01-20] (Electronic Arts)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76152 2017-01-03] ()
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2017-01-03] ()
R2 ProductAgentService; C:\Program Files\Bitdefender Agent\ProductAgentService.exe [1100392 2016-10-28] (Bitdefender)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-07-16] (Microsoft Corporation)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender 2017\updatesrv.exe [218416 2017-01-22] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender 2017\vsserv.exe [1526528 2017-01-22] (Bitdefender)
R2 vsservp; C:\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe [524872 2016-08-25] (Bitdefender)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 WsAppService; C:\Program Files (x86)\Wondershare\WAF\2.3.1.1\WsAppService.exe [437392 2016-10-10] (Wondershare)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14122736 2017-01-18] (Zemana Ltd.)
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\Dr.Fone for Android\DriverInstall.exe" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AiChargerPlus; C:\Windows\SysWow64\drivers\AiChargerPlus.sys [14848 2012-04-19] (ASUSTek Computer Inc.)
S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [49448 2016-08-18] (Advanced Micro Devices, Inc.)
R3 amdkmdag; C:\Windows\System32\DriverStore\FileRepository\c0307329.inf_amd64_55b6bd3e40065979\atikmdag.sys [26559504 2016-10-01] (Advanced Micro Devices, Inc.)
R3 amdkmdap; C:\Windows\System32\DriverStore\FileRepository\c0307329.inf_amd64_55b6bd3e40065979\atikmpag.sys [527264 2016-10-01] (Advanced Micro Devices, Inc.)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-22] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2012-09-14] ()
S3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2016-11-12] (MCCI Corporation)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWT6.sys [101376 2016-07-24] (Advanced Micro Devices)
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1605376 2016-09-20] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [878072 2016-09-20] (BitDefender)
S0 bdelam; C:\Windows\System32\drivers\bdelam.sys [23672 2016-03-14] (Bitdefender)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [128400 2016-06-24] (BitDefender LLC)
R1 BDVEDISK; C:\Windows\system32\DRIVERS\bdvedisk.sys [87912 2015-12-04] (BitDefender)
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [182944 2016-10-29] (BitDefender LLC)
R0 ignis; C:\Windows\system32\DRIVERS\ignis.sys [309280 2017-01-22] (Bitdefender)
R1 MpKsl54bc3fe6; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3DF05709-CD14-438B-AF60-89CC47507329}\MpKsl54bc3fe6.sys [44928 2017-01-22] (Microsoft Corporation)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek                                            )
R3 RtlWlanu; C:\Windows\System32\drivers\rtwlanu.sys [5195776 2016-07-16] (Realtek Semiconductor Corporation                           )
S3 tap-tb-0901; C:\Windows\System32\drivers\tap-tb-0901.sys [38656 2016-10-17] (The OpenVPN Project)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [520032 2016-06-22] (BitDefender S.R.L.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R3 WirelessKeyboardFilter; C:\Windows\System32\drivers\WirelessKeyboardFilter.sys [49896 2016-07-23] (Microsoft Corporation)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2017-01-22] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2017-01-22] (Zemana Ltd.)
S2 AODDriver4.2.0; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-22 19:59 - 2017-01-22 20:00 - 00017850 _____ C:\Users\omark\Downloads\FRST.txt
2017-01-22 19:50 - 2017-01-22 19:52 - 02420736 _____ (Farbar) C:\Users\omark\Downloads\FRST64.exe
2017-01-22 19:49 - 2017-01-22 20:00 - 00000472 _____ C:\runcheck.txt
2017-01-22 19:49 - 2017-01-22 19:49 - 00000000 ____D C:\zoek_backup
2017-01-22 19:48 - 2017-01-22 19:48 - 00001328 _____ C:\Users\omark\Desktop\checkup.txt
2017-01-22 19:46 - 2017-01-22 19:49 - 01309184 _____ C:\Users\omark\Downloads\zoek.exe
2017-01-22 19:46 - 2017-01-22 19:48 - 00852798 _____ C:\Users\omark\Downloads\SecurityCheck.exe
2017-01-22 16:46 - 2017-01-22 16:55 - 00000020 _____ C:\Users\omark\Desktop\TE DATA.txt
2017-01-22 15:55 - 2017-01-22 16:00 - 01009118 _____ C:\TDSSKiller.3.1.0.12_22.01.2017_15.55.57_log.txt
2017-01-22 15:53 - 2017-01-22 15:54 - 00261818 _____ C:\TDSSKiller.3.1.0.12_22.01.2017_15.53.43_log.txt
2017-01-22 15:53 - 2017-01-22 15:53 - 00000492 _____ C:\TDSSKiller.3.1.0.12_22.01.2017_15.53.25_log.txt
2017-01-22 15:46 - 2017-01-22 15:48 - 00263136 _____ C:\TDSSKiller.3.1.0.12_22.01.2017_15.46.35_log.txt
2017-01-22 15:46 - 2017-01-22 15:46 - 00002390 _____ C:\TDSSKiller.3.1.0.12_22.01.2017_15.46.16_log.txt
2017-01-22 15:45 - 2017-01-22 15:46 - 00002390 _____ C:\TDSSKiller.3.1.0.12_22.01.2017_15.45.48_log.txt
2017-01-22 15:44 - 2017-01-22 15:45 - 04747704 _____ (AO Kaspersky Lab) C:\Users\omark\Downloads\tdsskiller.exe
2017-01-22 15:25 - 2017-01-22 15:25 - 00054736 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2017-01-22 15:24 - 2017-01-22 15:31 - 00000000 ____D C:\ProgramData\HitmanPro
2017-01-22 15:18 - 2017-01-22 15:18 - 00002073 _____ C:\Users\omark\Desktop\HighOffYou Lyrics.txt
2017-01-22 15:07 - 2017-01-22 15:09 - 00000000 ____D C:\AdwCleaner
2017-01-22 13:41 - 2017-01-22 13:41 - 00003282 _____ C:\Windows\System32\Tasks\ping
2017-01-22 11:38 - 2017-01-22 11:38 - 00000085 _____ C:\Windows\wininit.ini
2017-01-22 11:28 - 2017-01-22 14:22 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-01-22 11:28 - 2017-01-22 11:38 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-01-22 11:28 - 2017-01-22 11:28 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2017-01-22 10:59 - 2017-01-22 20:00 - 00434319 _____ C:\Windows\ZAM.krnl.trace
2017-01-22 10:59 - 2017-01-22 20:00 - 00258333 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-01-22 10:59 - 2017-01-22 10:59 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2017-01-22 10:59 - 2017-01-22 10:59 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2017-01-22 10:59 - 2017-01-22 10:59 - 00000000 ____D C:\Users\omark\AppData\Local\Zemana
2017-01-22 10:59 - 2017-01-22 10:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-01-22 10:59 - 2017-01-22 10:59 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2017-01-22 10:58 - 2017-01-22 10:58 - 00000492 _____ C:\TDSSKiller.3.1.0.12_22.01.2017_10.58.17_log.txt
2017-01-22 10:53 - 2017-01-22 10:55 - 00260210 _____ C:\TDSSKiller.3.1.0.12_22.01.2017_10.53.42_log.txt
2017-01-22 10:47 - 2017-01-22 10:47 - 00002344 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-01-22 10:35 - 2017-01-22 11:19 - 00000928 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2017-01-22 10:35 - 2017-01-22 11:19 - 00000924 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2017-01-22 10:35 - 2017-01-22 10:35 - 00003986 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-01-22 10:35 - 2017-01-22 10:35 - 00003754 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-01-22 10:09 - 2017-01-22 15:09 - 00000000 ____D C:\Users\omark\AppData\Roaming\Everything
2017-01-22 10:09 - 2017-01-22 10:09 - 00000000 ____D C:\Users\omark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Everything
2017-01-22 10:09 - 2017-01-22 10:09 - 00000000 ____D C:\Program Files\Everything
2017-01-22 09:54 - 2017-01-22 09:54 - 604658351 _____ C:\Windows\MEMORY.DMP
2017-01-22 08:17 - 2017-01-22 19:59 - 00000000 ____D C:\FRST
2017-01-20 17:21 - 2017-01-20 17:25 - 00000000 ____D C:\Users\omark\AppData\Roaming\IMVU
2017-01-20 17:21 - 2017-01-20 17:21 - 00000000 ____D C:\Users\omark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU
2017-01-20 17:21 - 2017-01-20 17:21 - 00000000 ____D C:\Users\omark\AppData\Roaming\Macromedia
2017-01-20 17:20 - 2017-01-20 17:21 - 00000000 ____D C:\Users\omark\AppData\Roaming\IMVUClient
2017-01-20 13:54 - 2017-01-20 13:56 - 00000000 ____D C:\Users\omark\AppData\Temp
2017-01-20 13:47 - 2017-01-22 10:15 - 00003406 _____ C:\Windows\System32\Tasks\Bitdefender AgentTask_AD394AE64E874073B10A89FEEC305A3C
2017-01-20 13:47 - 2017-01-20 13:47 - 00396377 _____ C:\ProgramData\cl.1484912583.bdinstall.bin
2017-01-20 13:46 - 2017-01-20 13:46 - 00002299 _____ C:\Users\Public\Desktop\Bitdefender 2017.lnk
2017-01-20 13:46 - 2017-01-20 13:46 - 00000684 ____H C:\bdr-cf01
2017-01-20 13:46 - 2017-01-20 13:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bitdefender 2017
2017-01-20 13:46 - 2016-03-14 22:04 - 00023672 _____ (Bitdefender) C:\Windows\system32\Drivers\bdelam.sys
2017-01-20 13:45 - 2017-01-22 07:33 - 00309280 _____ (Bitdefender) C:\Windows\system32\Drivers\ignis.sys
2017-01-20 13:45 - 2017-01-20 13:46 - 00253404 ____H C:\bdr-ld01
2017-01-20 13:45 - 2017-01-20 13:46 - 00009216 ____H C:\bdr-ld01.mbr
2017-01-20 13:45 - 2016-10-18 11:51 - 49758588 ____H C:\bdr-im01.gz
2017-01-20 13:45 - 2016-09-20 04:17 - 01605376 _____ (BitDefender) C:\Windows\system32\Drivers\avc3.sys
2017-01-20 13:45 - 2016-09-20 04:16 - 00878072 _____ (BitDefender) C:\Windows\system32\Drivers\avckf.sys
2017-01-20 13:45 - 2015-12-04 19:27 - 00087912 _____ (BitDefender) C:\Windows\system32\Drivers\bdvedisk.sys
2017-01-20 13:45 - 2013-08-13 13:38 - 03271472 ____H C:\bdr-bz01
2017-01-20 13:43 - 2016-10-29 09:54 - 00182944 _____ (BitDefender LLC) C:\Windows\system32\Drivers\gzflt.sys
2017-01-20 13:43 - 2016-06-22 15:40 - 00520032 _____ (BitDefender S.R.L.) C:\Windows\system32\Drivers\trufos.sys
2017-01-20 13:42 - 2017-01-20 13:43 - 00000000 ____D C:\Program Files\Common Files\Bitdefender
2017-01-20 12:11 - 2017-01-20 13:42 - 413390520 _____ C:\Users\omark\Downloads\bitdefender_ts_21_64b.exe
2017-01-20 09:00 - 2017-01-20 09:00 - 00028940 _____ C:\ProgramData\agent.1484895646.bdinstall.bin
2017-01-19 19:32 - 2017-01-20 18:02 - 00089600 ___SH C:\Users\omark\Downloads\Thumbs.db
2017-01-07 21:29 - 2017-01-07 21:29 - 00028203 _____ C:\ProgramData\agent.1483817350.bdinstall.bin
2017-01-05 22:36 - 2017-01-20 13:43 - 00000000 ____D C:\Program Files\Bitdefender
2017-01-05 22:36 - 2017-01-05 22:36 - 00055018 _____ C:\ProgramData\dm.1483648597.bdinstall.bin
2017-01-05 22:36 - 2017-01-05 22:36 - 00000000 ____D C:\ProgramData\Bitdefender Device Management
2017-01-05 21:29 - 2017-01-05 21:29 - 00028067 _____ C:\ProgramData\agent.1483644549.bdinstall.bin
2017-01-05 20:40 - 2017-01-07 22:18 - 00000000 ____D C:\Windows\system32\appmgmt
2017-01-05 20:21 - 2017-01-05 22:32 - 00007601 _____ C:\Users\omark\AppData\Local\Resmon.ResmonCfg
2017-01-05 19:22 - 2017-01-05 19:22 - 00020403 _____ C:\ProgramData\agent.1483636970.bdinstall.bin
2017-01-05 01:57 - 2017-01-05 01:57 - 00000000 ____D C:\Windows\system32\ÿÿÿÿÿÿÿÿq
2017-01-05 01:57 - 2017-01-05 01:57 - 00000000 ____D C:\Windows\system32\5c7d6a7aa780ac998e1d90..bin
2017-01-04 22:37 - 2017-01-04 22:37 - 00000385 _____ C:\Windows\system32\user_gensett.xml
2017-01-04 22:34 - 2017-01-22 15:54 - 00003930 _____ C:\bdlog.txt
2017-01-04 22:30 - 2017-01-04 22:30 - 00028756 _____ C:\ProgramData\agent.1483561844.bdinstall.bin
2017-01-04 22:10 - 2017-01-05 21:29 - 00000000 ____D C:\ProgramData\BDLogging
2017-01-04 22:10 - 2007-04-11 11:11 - 00511328 _____ (Microsoft Corporation) C:\Windows\capicom.dll
2017-01-04 22:09 - 2017-01-05 22:36 - 00000000 ____D C:\Users\omark\AppData\Roaming\Bitdefender
2017-01-04 22:07 - 2017-01-04 22:07 - 00003794 _____ C:\Windows\System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864
2017-01-04 22:06 - 2017-01-22 10:15 - 00000000 ____D C:\ProgramData\Bitdefender
2017-01-04 22:06 - 2017-01-04 22:06 - 00000000 ____D C:\Users\omark\AppData\Roaming\QuickScan
2017-01-04 22:05 - 2017-01-22 19:21 - 00000000 ____D C:\Program Files\Bitdefender Agent
2017-01-04 22:05 - 2017-01-04 22:05 - 00044656 _____ C:\ProgramData\1483560304.bdinstall.bin
2017-01-04 22:05 - 2017-01-04 22:05 - 00000000 ____D C:\ProgramData\Bitdefender Agent
2017-01-04 20:40 - 2017-01-05 17:57 - 00000000 ____D C:\Users\omark\AppData\Roaming\TunnelBear
2017-01-04 20:40 - 2017-01-04 20:40 - 00000000 ____D C:\Users\omark\AppData\Local\IsolatedStorage
2017-01-03 21:15 - 2017-01-03 21:15 - 00001368 _____ C:\Users\omark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SPF.lnk
2017-01-02 19:43 - 2017-01-03 21:15 - 00000000 ____D C:\Users\omark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Simple Port Forwarding
2017-01-02 19:43 - 2017-01-02 19:43 - 00000000 ____D C:\Windows\Simple Port Forwarding
2017-01-02 19:42 - 2017-01-02 19:43 - 00023651 _____ C:\Windows\Simple Port Forwarding Setup Log.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-22 19:58 - 2016-12-08 22:41 - 00000000 ____D C:\Users\omark\AppData\Roaming\Origin
2017-01-22 17:50 - 2016-12-09 09:46 - 00226168 _____ C:\Windows\SysWOW64\PnkBstrB.exe
2017-01-22 17:50 - 2016-12-09 09:46 - 00226168 _____ C:\Windows\SysWOW64\PnkBstrB.ex0
2017-01-22 17:06 - 2016-07-16 08:04 - 00065536 _____ C:\Windows\system32\config\ELAM
2017-01-22 16:08 - 2016-12-08 21:16 - 00000000 ____D C:\ProgramData\Origin
2017-01-22 16:08 - 2016-11-12 16:49 - 01791080 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-22 16:03 - 2016-11-12 16:48 - 00000000 ____D C:\Users\omark
2017-01-22 16:02 - 2016-12-11 01:28 - 00000000 ____D C:\Windows\Minidump
2017-01-22 16:02 - 2016-11-13 02:40 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-22 16:02 - 2016-11-13 02:40 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-01-22 16:02 - 2016-11-13 02:39 - 00278591 ____N C:\Windows\Minidump\012217-25765-01.dmp
2017-01-22 15:54 - 2016-11-13 01:08 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2017-01-22 15:54 - 2016-07-16 08:04 - 00524288 _____ C:\Windows\system32\config\BBI
2017-01-22 15:14 - 2016-12-08 21:19 - 00004166 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{05641EDF-31CA-4E7E-8D39-CEB59230F123}
2017-01-22 14:46 - 2016-07-16 13:36 - 00000000 ____D C:\Windows\CbsTemp
2017-01-22 14:25 - 2016-07-16 13:47 - 00000000 ____D C:\Windows\system32\NDF
2017-01-22 11:08 - 2016-11-12 16:50 - 00000000 ____D C:\Users\omark\AppData\Local\VirtualStore
2017-01-22 10:54 - 2016-11-12 23:35 - 00000000 ____D C:\Users\omark\AppData\Roaming\DMCache
2017-01-22 10:47 - 2016-11-12 17:40 - 00000000 ____D C:\Program Files (x86)\Google
2017-01-22 10:07 - 2016-11-12 16:50 - 00000000 ____D C:\Users\omark\AppData\Local\Packages
2017-01-21 16:52 - 2016-11-12 17:40 - 00000000 ____D C:\Users\omark\AppData\Local\Google
2017-01-21 16:17 - 2016-07-16 13:47 - 00000000 ____D C:\Windows\AppReadiness
2017-01-21 16:09 - 2016-07-16 13:45 - 00000000 ____D C:\Windows\INF
2017-01-20 18:51 - 2016-07-16 13:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-01-20 17:23 - 2016-07-16 13:47 - 00000000 ____D C:\Windows\LiveKernelReports
2017-01-07 22:24 - 2016-11-12 16:55 - 00000008 __RSH C:\ProgramData\ntuser.pol
2017-01-07 22:10 - 2016-12-02 16:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TP-LINK
2017-01-07 22:10 - 2016-12-02 16:46 - 00000000 ____D C:\ProgramData\TP-LINK
2017-01-05 20:42 - 2016-11-12 17:18 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-01-05 20:42 - 2016-11-12 17:13 - 00000000 ____D C:\Windows\System32\Tasks\ASUS
2017-01-05 20:32 - 2016-11-19 23:17 - 00000000 ___HD C:\Program Files (x86)\DrFoneAndroid_Temp
2017-01-05 20:32 - 2016-11-19 23:17 - 00000000 ____D C:\Program Files (x86)\Wondershare
2017-01-05 20:31 - 2016-12-09 12:12 - 00000000 ____D C:\Program Files (x86)\Battlelog Web Plugins
2017-01-05 19:35 - 2016-11-16 20:11 - 00000000 _____ C:\Windows\Path.idx
2017-01-05 19:30 - 2016-11-12 20:11 - 01048576 _____ C:\Windows\PE_Rom.dll
2017-01-05 17:57 - 2016-11-12 19:14 - 00000000 ____D C:\ProgramData\Package Cache
2017-01-04 22:42 - 2016-12-03 13:56 - 00000000 ____D C:\Program Files (x86)\Opera
2017-01-03 18:44 - 2016-12-09 13:03 - 00076152 _____ C:\Windows\system32\PnkBstrA.exe
2017-01-03 18:25 - 2016-12-09 12:13 - 00000735 _____ C:\Users\Public\Desktop\Battlefield 4.lnk
2017-01-03 18:25 - 2016-12-09 09:46 - 00076888 _____ C:\Windows\SysWOW64\PnkBstrA.exe
2017-01-03 17:59 - 2016-11-12 17:24 - 00003351 _____ C:\Users\omark\Desktop\---.txt
2016-12-31 18:56 - 2016-11-12 16:50 - 00000000 ___SD C:\Users\omark\AppData\LocalLow\Microsoft
2016-12-31 18:56 - 2016-11-12 16:48 - 00000000 ___SD C:\Users\omark\AppData\Roaming\Microsoft
2016-12-26 03:54 - 2016-11-12 17:24 - 00006305 _____ C:\Users\omark\Desktop\Random bleep I.txt
 
==================== Files in the root of some directories =======
 
2016-12-18 22:12 - 2016-12-18 22:12 - 0000046 _____ () C:\Users\omark\AppData\Roaming\Camdata.ini
2016-12-18 22:12 - 2016-12-18 22:12 - 0000408 _____ () C:\Users\omark\AppData\Roaming\CamLayout.ini
2016-12-18 22:12 - 2016-12-18 22:12 - 0000408 _____ () C:\Users\omark\AppData\Roaming\CamShapes.ini
2016-12-18 22:12 - 2016-12-18 22:12 - 0004550 _____ () C:\Users\omark\AppData\Roaming\CamStudio.cfg
2016-12-18 22:10 - 2016-12-18 22:10 - 0000096 _____ () C:\Users\omark\AppData\Roaming\version2.xml
2017-01-05 20:21 - 2017-01-05 22:32 - 0007601 _____ () C:\Users\omark\AppData\Local\Resmon.ResmonCfg
2017-01-04 22:05 - 2017-01-04 22:05 - 0044656 _____ () C:\ProgramData\1483560304.bdinstall.bin
2017-01-04 22:30 - 2017-01-04 22:30 - 0028756 _____ () C:\ProgramData\agent.1483561844.bdinstall.bin
2017-01-05 19:22 - 2017-01-05 19:22 - 0020403 _____ () C:\ProgramData\agent.1483636970.bdinstall.bin
2017-01-05 21:29 - 2017-01-05 21:29 - 0028067 _____ () C:\ProgramData\agent.1483644549.bdinstall.bin
2017-01-07 21:29 - 2017-01-07 21:29 - 0028203 _____ () C:\ProgramData\agent.1483817350.bdinstall.bin
2017-01-20 09:00 - 2017-01-20 09:00 - 0028940 _____ () C:\ProgramData\agent.1484895646.bdinstall.bin
2017-01-20 13:47 - 2017-01-20 13:47 - 0396377 _____ () C:\ProgramData\cl.1484912583.bdinstall.bin
2017-01-05 22:36 - 2017-01-05 22:36 - 0055018 _____ () C:\ProgramData\dm.1483648597.bdinstall.bin
 
Some files in TEMP:
====================
2017-01-22 19:49 - 2017-01-22 19:49 - 0476672 _____ () C:\Users\omark\AppData\Local\Temp\7za.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0020480 _____ (E Dev) C:\Users\omark\AppData\Local\Temp\DaS_21.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0388608 _____ (Trend Micro Inc.) C:\Users\omark\AppData\Local\Temp\hijackthis.exe
2017-01-22 15:33 - 2017-01-22 15:24 - 11581544 _____ (SurfRight B.V.) C:\Users\omark\AppData\Local\Temp\HitmanPro.exe
2017-01-20 17:02 - 2017-01-20 17:20 - 37179352 _____ () C:\Users\omark\AppData\Local\Temp\InstallIMVU_530.0.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0030720 _____ (NirSoft) C:\Users\omark\AppData\Local\Temp\NirCmd.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0256512 _____ () C:\Users\omark\AppData\Local\Temp\PEVZ.EXE
2017-01-22 19:49 - 2017-01-22 19:49 - 0069632 _____ () C:\Users\omark\AppData\Local\Temp\remove.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0098816 _____ () C:\Users\omark\AppData\Local\Temp\sed.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0057344 _____ (Optimum X) C:\Users\omark\AppData\Local\Temp\shortcut.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0161792 _____ (SteelWerX) C:\Users\omark\AppData\Local\Temp\swreg.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0217088 _____ (SteelWerX) C:\Users\omark\AppData\Local\Temp\swxcacls.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0154232 _____ (Noël Danjou) C:\Users\omark\AppData\Local\Temp\wget.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0024064 _____ () C:\Users\omark\AppData\Local\Temp\zoek-delete.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-01-20 08:46
 
==================== End of FRST.txt ============================
 
(Addition.txt)
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 22-01-2017
Ran by omark (22-01-2017 20:00:43)
Running from C:\Users\omark\Downloads
Windows 10 Pro Version 1607 (X64) (2016-11-12 14:47:05)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3043529976-417534618-3113873037-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3043529976-417534618-3113873037-503 - Limited - Disabled)
defaultuser0 (S-1-5-21-3043529976-417534618-3113873037-1000 - Limited - Disabled) => C:\Users\defaultuser0
Guest (S-1-5-21-3043529976-417534618-3113873037-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3043529976-417534618-3113873037-1004 - Limited - Enabled)
omark (S-1-5-21-3043529976-417534618-3113873037-1001 - Administrator - Enabled) => C:\Users\omark
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Bitdefender Antivirus (Enabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371}
AS: Bitdefender Antispyware (Enabled - Up to date) {84D09280-69F6-0029-510F-AC4AECBE19CC}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Bitdefender Firewall (Disabled) {078AF241-05A3-0EFF-40E0-3E0D69EA140A}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 23 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Adobe Reader X (10.1.3) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.3 - Adobe Systems Incorporated)
AMD Install Manager (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.4 - Advanced Micro Devices, Inc.)
Application Profiles (HKLM-x32\...\{9B32A619-D5BD-BCDC-C082-ABC49C8D3E29}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)
Battlelog Web Plugins (HKLM-x32\...\Battlelog Web Plugins) (Version: 2.3.0 - EA Digital Illusions CE AB)
Bitdefender Agent (HKLM\...\Bitdefender Agent) (Version: 20.0.26.1436 - Bitdefender)
Bitdefender Device Management (HKLM\...\Bitdefender Device Management) (Version: 21.0.22.1050 - Bitdefender)
Bitdefender Total Security 2017 (HKLM\...\Bitdefender) (Version: 21.0.22.1050 - Bitdefender)
Catalyst Control Center Next Localization BR (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Everything 1.3.4.686 (x64) (HKLM\...\Everything) (Version:  - )
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 55.0.2883.87 - Google Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
Icecream Screen Recorder version 4.57 (HKLM-x32\...\{7ADEC622-3230-4C9A-9DCE-9BD462B74095}_is1) (Version: 4.57 - Icecream Apps)
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
NVIDIA PhysX (HKLM-x32\...\{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}) (Version: 9.12.1031 - NVIDIA Corporation)
Origin (HKLM-x32\...\Origin) (Version: 10.3.5.6379 - Electronic Arts, Inc.)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.993 - Even Balance, Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.3.730.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6699 - Realtek Semiconductor Corp.)
Simple Port Forwarding (HKLM-x32\...\Simple Port Forwarding) (Version: 3.8.5 - PcWinTech.com)
TP-LINK TL-WN725N_TL-WN723N Driver (HKLM-x32\...\{3C3F9CEB-2C5A-4A47-8EAA-DA76037546BA}) (Version: 1.3.1 - TP-LINK)
TP-LINK Wireless Configuration Utility (HKLM-x32\...\{319D91C6-3D44-436C-9F79-36C0D22372DC}) (Version: 1.3.1 - TP-LINK)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.70.576 - Zemana Ltd.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {117057D6-70B1-4C0A-93AE-F5020DBE12D1} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {1E707171-A413-4D60-9206-9E78A4C831EA} - System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864 => C:\Program Files\Bitdefender Agent\WatchDog.exe [2016-10-21] (Bitdefender)
Task: {4DCA3ABF-5234-43E5-904D-E028091E3A1E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {5E5F9357-06A4-4896-85E9-6EF55A38F7E3} - System32\Tasks\ASUS\RunDAOD => C:\Windows\DAODx.exe [2009-03-30] ()
Task: {84888C86-9A02-4FE0-9A50-55081ACEFBE0} - System32\Tasks\AMD Updater => C:\Program Files\AMD\CIM\\Bin64\InstallManagerApp.exe [2016-09-16] (Advanced Micro Devices, Inc.)
Task: {95DB9185-518E-467D-8DA1-F707A7C45FA5} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWoW64\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe [2016-11-17] (Adobe Systems Incorporated)
Task: {A18D1CB0-A4E2-480F-9D68-7CB82CFDB044} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-01-22] (Google Inc.)
Task: {D5AA8756-D6E1-45BD-8A8E-8C93C4926DFE} - System32\Tasks\ping => E:\Programs\TP-Link NO SLEEP\ping.bat [2017-01-22] () <==== ATTENTION
Task: {D5E8D206-B85F-425F-975F-FEA03D94CAF8} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {D707D7B1-4B74-4B6A-B7B7-D82EE6FEE964} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-01-22] (Google Inc.)
Task: {D770D36E-7CED-417C-B20E-7F180F1CF5D4} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {E5BF8FD2-FD04-448F-BD4A-9DCDDC38AC3C} - System32\Tasks\Bitdefender AgentTask_AD394AE64E874073B10A89FEEC305A3C => C:\Program Files\Bitdefender\Bitdefender 2017\bdagent.exe [2017-01-22] (Bitdefender)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job => C:\Windows\SysWoW64\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-16 13:42 - 2016-07-16 13:42 - 00231424 _____ () C:\Windows\SYSTEM32\ism32k.dll
2016-07-16 13:42 - 2016-07-16 13:42 - 02681200 _____ () C:\Windows\system32\CoreUIComponents.dll
2017-01-20 13:45 - 2013-09-03 14:29 - 00111832 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\bdmetrics.dll
2017-01-20 13:45 - 2016-11-14 16:52 - 01008448 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\otengines_001_001\ashttpbr.mdl
2017-01-20 13:45 - 2016-11-14 16:52 - 00541952 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\otengines_001_001\ashttpdsp.mdl
2017-01-20 13:45 - 2016-11-14 16:52 - 03202816 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\otengines_001_001\ashttpph.mdl
2017-01-20 13:45 - 2016-11-14 16:52 - 01542976 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\otengines_001_001\ashttprbl.mdl
2016-11-12 17:17 - 2012-06-01 11:42 - 00920736 ____N () C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
2017-01-22 10:09 - 2014-08-06 03:04 - 01441792 _____ () C:\Program Files\Everything\Everything.exe
2016-12-09 13:03 - 2017-01-03 18:44 - 00076152 _____ () C:\Windows\system32\PnkBstrA.exe
2016-11-12 17:13 - 2009-03-30 08:32 - 00032768 ____R () C:\Windows\DAODx.exe
2016-07-16 13:42 - 2016-07-16 13:42 - 02681200 _____ () C:\Windows\SYSTEM32\CoreUIComponents.dll
2016-11-12 16:56 - 2016-11-12 16:56 - 01864384 _____ () C:\Users\omark\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\amd64\ClientTelemetry.dll
2017-01-22 10:59 - 2017-01-22 10:59 - 00152944 _____ () C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll
2016-07-16 13:43 - 2016-07-16 16:28 - 09761280 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-07-16 13:43 - 2016-07-16 16:28 - 01400320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-07-16 13:43 - 2016-07-16 16:28 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-07-16 13:43 - 2016-07-16 16:28 - 01033728 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-07-16 13:43 - 2016-07-16 16:28 - 02438144 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-07-16 13:43 - 2016-07-16 16:28 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-01-05 05:28 - 2017-01-05 05:44 - 00072192 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2017-01-05 05:28 - 2017-01-05 05:44 - 00179712 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2017-01-05 05:28 - 2017-01-05 05:44 - 42130432 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2017-01-05 05:28 - 2017-01-05 05:39 - 02216448 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\roottools.dll
2016-09-13 02:01 - 2016-09-13 02:01 - 00014336 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick.2\qtquick2plugin.dll
2016-09-13 02:01 - 2016-09-13 02:01 - 00739840 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Controls\qtquickcontrolsplugin.dll
2016-09-13 02:01 - 2016-09-13 02:01 - 00014336 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Window.2\windowplugin.dll
2016-09-13 02:01 - 2016-09-13 02:01 - 00071168 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Layouts\qquicklayoutsplugin.dll
2016-09-13 02:01 - 2016-09-13 02:01 - 00011776 _____ () C:\Program Files\AMD\CNext\CNext\libEGL.dll
2016-09-13 02:01 - 2016-09-13 02:01 - 02013696 _____ () C:\Program Files\AMD\CNext\CNext\libGLESv2.dll
2016-12-02 16:47 - 2013-01-10 19:09 - 00848384 _____ () C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe
2017-01-22 09:34 - 2017-01-22 09:34 - 00023328 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\lang\en-US\bdsystray.txtui
2016-07-16 13:42 - 2016-07-16 13:42 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-07-16 13:43 - 2016-07-16 13:43 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-07-16 13:43 - 2016-07-16 13:43 - 00693248 _____ () C:\Windows\ShellExperiences\MtcUvc.dll
2017-01-20 14:41 - 2017-01-20 14:40 - 00022024 _____ () E:\Games\(Origin)\Origin\QtWebEngineProcess.exe
2017-01-22 07:32 - 2017-01-22 07:32 - 00585168 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\ExternalDevices.dll
2017-01-22 09:33 - 2017-01-22 09:33 - 00348544 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\ui\ltr\ExternalDevices.ui
2017-01-22 10:14 - 2017-01-22 10:14 - 00348544 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\lang\en-US\ExternalDevices.txtui
2017-01-22 09:32 - 2017-01-22 09:32 - 00022304 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\lang\en-US\bdaphconp.txtui
2017-01-22 09:27 - 2017-01-22 09:27 - 00066240 _____ () C:\Program Files\Bitdefender\Bitdefender 2017\bddpsp.dll
2017-01-05 22:36 - 2016-12-07 23:35 - 00021280 _____ () C:\Program Files\Bitdefender\Bitdefender Device Management\lang\en-US\dmiface.txtui
2017-01-22 19:46 - 2017-01-22 19:49 - 01309184 _____ () C:\Users\omark\Downloads\zoek.exe
2016-11-12 17:17 - 2017-01-22 16:02 - 00033792 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.19\PEbiosinterface32.dll
2016-11-12 17:17 - 2010-06-29 04:58 - 00104448 ____N () C:\Program Files (x86)\ASUS\AXSP\1.00.19\ATKEX.dll
2017-01-20 14:41 - 2017-01-20 14:40 - 02493440 _____ () E:\Games\(Origin)\Origin\libGLESv2.dll
2017-01-20 14:41 - 2017-01-20 14:40 - 00012288 _____ () E:\Games\(Origin)\Origin\libEGL.DLL
2015-08-09 14:54 - 2016-07-19 20:04 - 00266240 _____ () E:\Games\(Origin)\Origin\imageformats\qmng.dll
2016-11-12 16:56 - 2016-11-12 16:56 - 01383616 _____ () C:\Users\omark\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\ClientTelemetry.dll
2016-12-02 16:47 - 2013-01-10 18:32 - 01411072 _____ () C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\nicLan.dll
2016-12-02 16:46 - 2013-01-10 19:16 - 00193024 _____ () C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\DC_WFF.dll
2016-12-02 16:47 - 2013-01-07 16:03 - 00297472 _____ () C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\WJRtl.dll
2017-01-22 19:49 - 2017-01-22 19:49 - 00098816 _____ () C:\Users\omark\AppData\Local\Temp\sed.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\omark\Downloads\FRST64.exe:BDU [0]
AlternateDataStreams: C:\Users\omark\Downloads\SecurityCheck.exe:BDU [0]
AlternateDataStreams: C:\Users\omark\Downloads\tdsskiller.exe:BDU [0]
AlternateDataStreams: C:\Users\omark\Downloads\zoek.exe:BDU [0]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\90781335.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\90781335.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2016-07-16 13:47 - 2017-01-22 19:03 - 00000736 ____A C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3043529976-417534618-3113873037-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\omark\Downloads\a-men-in-space-with-a-carlsberg-beer-5120x3200.jpg
DNS Servers: 5.196.39.62 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run32: => "ASUS WiFi GO! FileTransfer Execute"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{30732DB4-FB93-408D-A482-607F04F95ABC}E:\games\battlefield 4\bf4.exe] => E:\games\battlefield 4\bf4.exe
FirewallRules: [UDP Query User{F9026DCF-650A-42AB-AEE7-5C7C7BC76827}E:\games\battlefield 4\bf4.exe] => E:\games\battlefield 4\bf4.exe
FirewallRules: [{5C82E03D-DE97-45A8-8D01-9DA84D9B6471}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
22-01-2017 19:57:27 zoek.exe restore point
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/22/2017 07:57:37 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (01/22/2017 07:36:15 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-77APQ4O)
Description: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2147023673 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (01/22/2017 06:21:18 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (01/22/2017 06:21:05 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (01/22/2017 05:47:45 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (01/22/2017 05:47:35 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (01/22/2017 04:55:41 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (01/22/2017 04:55:28 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (01/22/2017 04:35:13 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (01/22/2017 04:34:56 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=NetworkAvailable
 
 
System errors:
=============
Error: (01/22/2017 07:48:52 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-77APQ4O)
Description: The server {37998346-3765-45B1-8C66-AA88CA6B20B8} did not register with DCOM within the required timeout.
 
Error: (01/22/2017 07:46:52 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Connected Devices Platform Service service terminated with the following error: 
Unspecified error
 
Error: (01/22/2017 06:45:32 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-77APQ4O)
Description: The server {37998346-3765-45B1-8C66-AA88CA6B20B8} did not register with DCOM within the required timeout.
 
Error: (01/22/2017 06:43:32 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Connected Devices Platform Service service terminated with the following error: 
Unspecified error
 
Error: (01/22/2017 04:47:19 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-77APQ4O)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID 
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user DESKTOP-77APQ4O\omark SID (S-1-5-21-3043529976-417534618-3113873037-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool.
 
Error: (01/22/2017 04:47:19 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-77APQ4O)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID 
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user DESKTOP-77APQ4O\omark SID (S-1-5-21-3043529976-417534618-3113873037-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool.
 
Error: (01/22/2017 04:47:19 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-77APQ4O)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID 
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user DESKTOP-77APQ4O\omark SID (S-1-5-21-3043529976-417534618-3113873037-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool.
 
Error: (01/22/2017 04:47:19 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-77APQ4O)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID 
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user DESKTOP-77APQ4O\omark SID (S-1-5-21-3043529976-417534618-3113873037-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool.
 
Error: (01/22/2017 04:47:19 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-77APQ4O)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID 
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user DESKTOP-77APQ4O\omark SID (S-1-5-21-3043529976-417534618-3113873037-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool.
 
Error: (01/22/2017 04:47:18 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-77APQ4O)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID 
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user DESKTOP-77APQ4O\omark SID (S-1-5-21-3043529976-417534618-3113873037-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool.
 
 
CodeIntegrity:
===================================
  Date: 2017-01-22 16:02:18.853
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-01-22 15:55:33.013
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-01-22 15:49:12.613
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-01-22 14:40:01.907
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-01-22 14:22:45.816
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-01-22 11:19:31.811
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-01-22 09:54:55.696
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-01-22 09:43:30.352
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-01-22 09:04:54.800
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-01-22 07:17:32.241
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bitdefender\Bitdefender 2017\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: AMD Phenom™ II X4 965 Processor
Percentage of memory in use: 27%
Total physical RAM: 8109.59 MB
Available physical RAM: 5880.48 MB
Total Virtual: 8621.59 MB
Available Virtual: 5474.06 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:59.76 GB) (Free:34.65 GB) NTFS
Drive e: () (Fixed) (Total:238.1 GB) (Free:97.31 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 2E472E46)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=59.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=238.1 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


#4 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:14 AM

Posted 22 January 2017 - 02:02 PM

please post the content of the ZOEK log file too, thanks.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 NairyHipple

NairyHipple
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 22 January 2017 - 02:07 PM

Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by omark on Sun 01/22/2017 at 19:49:26.64.
Microsoft Windows 10 Pro 10.0.14393  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\omark\Downloads\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
1/22/2017 7:57:46 PM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\AGEIA Technologies deleted successfully
C:\PROGRA~2\COMMON~1\WebM Project deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\IDM deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\Users\defaultuser0\AppData\Local\VirtualStore deleted successfully
C:\Users\omark\AppData\Local\NetworkTiles deleted successfully
C:\Users\omark\AppData\Local\PeerDistRepub deleted successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Maps deleted successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\PeerDistPub deleted successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\PeerDistRepub deleted successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\NetworkTiles deleted successfully


#6 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:14 AM

Posted 22 January 2017 - 02:40 PM

Hello,
 

***


Copy FRST / FSRT64.exe to your desktop!
(you were running it from C:\Users\omark\Downloads)

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\Dr.Fone for Android\DriverInstall.exe" [X]
S2 AODDriver4.2.0; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
S2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
2017-01-22 19:49 - 2017-01-22 19:49 - 0476672 _____ () C:\Users\omark\AppData\Local\Temp\7za.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0476672 _____ C:\Users\omark\AppData\Local\Temp\7za.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0020480 _____ (E Dev) C:\Users\omark\AppData\Local\Temp\DaS_21.exe
2017-01-22 15:33 - 2017-01-22 15:24 - 11581544 _____ (SurfRight B.V.) C:\Users\omark\AppData\Local\Temp\HitmanPro.exe
2017-01-20 17:02 - 2017-01-20 17:20 - 37179352 _____ () C:\Users\omark\AppData\Local\Temp\InstallIMVU_530.0.exe
2017-01-20 17:02 - 2017-01-20 17:20 - 37179352 _____ C:\Users\omark\AppData\Local\Temp\InstallIMVU_530.0.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0030720 _____ (NirSoft) C:\Users\omark\AppData\Local\Temp\NirCmd.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0256512 _____ () C:\Users\omark\AppData\Local\Temp\PEVZ.EXE
2017-01-22 19:49 - 2017-01-22 19:49 - 0256512 _____ C:\Users\omark\AppData\Local\Temp\PEVZ.EXE
2017-01-22 19:49 - 2017-01-22 19:49 - 0069632 _____ () C:\Users\omark\AppData\Local\Temp\remove.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0069632 _____ C:\Users\omark\AppData\Local\Temp\remove.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0098816 _____ () C:\Users\omark\AppData\Local\Temp\sed.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0098816 _____ C:\Users\omark\AppData\Local\Temp\sed.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0057344 _____ (Optimum X) C:\Users\omark\AppData\Local\Temp\shortcut.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0161792 _____ (SteelWerX) C:\Users\omark\AppData\Local\Temp\swreg.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0217088 _____ (SteelWerX) C:\Users\omark\AppData\Local\Temp\swxcacls.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0154232 _____ (Noël Danjou) C:\Users\omark\AppData\Local\Temp\wget.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0024064 _____ () C:\Users\omark\AppData\Local\Temp\zoek-delete.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0024064 _____ C:\Users\omark\AppData\Local\Temp\zoek-delete.exe
Task: {D5AA8756-D6E1-45BD-8A8E-8C93C4926DFE} - System32\Tasks\ping => E:\Programs\TP-Link NO SLEEP\ping.bat [2017-01-22] <==== ATTENTION
2017-01-22 19:49 - 2017-01-22 19:49 - 00098816 _____ () C:\Users\omark\AppData\Local\Temp\sed.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 00098816 _____ C:\Users\omark\AppData\Local\Temp\sed.exe
AlternateDataStreams: C:\Users\omark\Downloads\SecurityCheck.exe:BDU [0]
AlternateDataStreams: C:\Users\omark\Downloads\tdsskiller.exe:BDU [0]
AlternateDataStreams: C:\Users\omark\Downloads\zoek.exe:BDU [0]
EmptyTemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

Download and run Chrome Software Cleaner


***


Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 NairyHipple

NairyHipple
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 23 January 2017 - 08:49 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 10 Pro x64 
Ran by omark (Administrator) on Mon 01/23/2017 at 15:43:45.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 4 
 
Successfully deleted: C:\ProgramData\1483560304.bdinstall.bin (File) 
Successfully deleted: C:\Users\omark\AppData\Local\crashrpt (Folder) 
Successfully deleted: C:\Users\omark\AppData\Roaming\imvuclient (Folder) 
Successfully deleted: C:\Windows\wininit.ini (File) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 01/23/2017 at 15:47:38.84
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 22-01-2017
Ran by omark (23-01-2017 15:26:32) Run:1
Running from C:\Users\omark\Desktop
Loaded Profiles: omark (Available Profiles: defaultuser0 & omark)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\Dr.Fone for Android\DriverInstall.exe" [X]
S2 AODDriver4.2.0; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
S2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
2017-01-22 19:49 - 2017-01-22 19:49 - 0476672 _____ () C:\Users\omark\AppData\Local\Temp\7za.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0476672 _____ C:\Users\omark\AppData\Local\Temp\7za.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0020480 _____ (E Dev) C:\Users\omark\AppData\Local\Temp\DaS_21.exe
2017-01-22 15:33 - 2017-01-22 15:24 - 11581544 _____ (SurfRight B.V.) C:\Users\omark\AppData\Local\Temp\HitmanPro.exe
2017-01-20 17:02 - 2017-01-20 17:20 - 37179352 _____ () C:\Users\omark\AppData\Local\Temp\InstallIMVU_530.0.exe
2017-01-20 17:02 - 2017-01-20 17:20 - 37179352 _____ C:\Users\omark\AppData\Local\Temp\InstallIMVU_530.0.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0030720 _____ (NirSoft) C:\Users\omark\AppData\Local\Temp\NirCmd.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0256512 _____ () C:\Users\omark\AppData\Local\Temp\PEVZ.EXE
2017-01-22 19:49 - 2017-01-22 19:49 - 0256512 _____ C:\Users\omark\AppData\Local\Temp\PEVZ.EXE
2017-01-22 19:49 - 2017-01-22 19:49 - 0069632 _____ () C:\Users\omark\AppData\Local\Temp\remove.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0069632 _____ C:\Users\omark\AppData\Local\Temp\remove.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0098816 _____ () C:\Users\omark\AppData\Local\Temp\sed.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0098816 _____ C:\Users\omark\AppData\Local\Temp\sed.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0057344 _____ (Optimum X) C:\Users\omark\AppData\Local\Temp\shortcut.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0161792 _____ (SteelWerX) C:\Users\omark\AppData\Local\Temp\swreg.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0217088 _____ (SteelWerX) C:\Users\omark\AppData\Local\Temp\swxcacls.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0154232 _____ (Noël Danjou) C:\Users\omark\AppData\Local\Temp\wget.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0024064 _____ () C:\Users\omark\AppData\Local\Temp\zoek-delete.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 0024064 _____ C:\Users\omark\AppData\Local\Temp\zoek-delete.exe
Task: {D5AA8756-D6E1-45BD-8A8E-8C93C4926DFE} - System32\Tasks\ping => E:\Programs\TP-Link NO SLEEP\ping.bat [2017-01-22] <==== ATTENTION
2017-01-22 19:49 - 2017-01-22 19:49 - 00098816 _____ () C:\Users\omark\AppData\Local\Temp\sed.exe
2017-01-22 19:49 - 2017-01-22 19:49 - 00098816 _____ C:\Users\omark\AppData\Local\Temp\sed.exe
AlternateDataStreams: C:\Users\omark\Downloads\SecurityCheck.exe:BDU [0]
AlternateDataStreams: C:\Users\omark\Downloads\tdsskiller.exe:BDU [0]
AlternateDataStreams: C:\Users\omark\Downloads\zoek.exe:BDU [0]
EmptyTemp:
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\System\CurrentControlSet\Services\WsDrvInst => key removed successfully
WsDrvInst => service removed successfully
HKLM\System\CurrentControlSet\Services\AODDriver4.2.0 => key removed successfully
AODDriver4.2.0 => service removed successfully
AODDriver4.2.0 => service not found.
C:\Users\omark\AppData\Local\Temp\7za.exe => moved successfully
"C:\Users\omark\AppData\Local\Temp\7za.exe" => not found.
C:\Users\omark\AppData\Local\Temp\DaS_21.exe => moved successfully
C:\Users\omark\AppData\Local\Temp\HitmanPro.exe => moved successfully
C:\Users\omark\AppData\Local\Temp\InstallIMVU_530.0.exe => moved successfully
"C:\Users\omark\AppData\Local\Temp\InstallIMVU_530.0.exe" => not found.
C:\Users\omark\AppData\Local\Temp\NirCmd.exe => moved successfully
C:\Users\omark\AppData\Local\Temp\PEVZ.EXE => moved successfully
"C:\Users\omark\AppData\Local\Temp\PEVZ.EXE" => not found.
C:\Users\omark\AppData\Local\Temp\remove.exe => moved successfully
"C:\Users\omark\AppData\Local\Temp\remove.exe" => not found.
C:\Users\omark\AppData\Local\Temp\sed.exe => moved successfully
"C:\Users\omark\AppData\Local\Temp\sed.exe" => not found.
C:\Users\omark\AppData\Local\Temp\shortcut.exe => moved successfully
C:\Users\omark\AppData\Local\Temp\swreg.exe => moved successfully
C:\Users\omark\AppData\Local\Temp\swxcacls.exe => moved successfully
C:\Users\omark\AppData\Local\Temp\wget.exe => moved successfully
C:\Users\omark\AppData\Local\Temp\zoek-delete.exe => moved successfully
"C:\Users\omark\AppData\Local\Temp\zoek-delete.exe" => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D5AA8756-D6E1-45BD-8A8E-8C93C4926DFE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D5AA8756-D6E1-45BD-8A8E-8C93C4926DFE} => key removed successfully
C:\Windows\System32\Tasks\ping => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ping => key removed successfully
"C:\Users\omark\AppData\Local\Temp\sed.exe" => not found.
"C:\Users\omark\AppData\Local\Temp\sed.exe" => not found.
"C:\Users\omark\Downloads\SecurityCheck.exe" => ":BDU" ADS not found.
C:\Users\omark\Downloads\tdsskiller.exe => ":BDU" ADS removed successfully.
C:\Users\omark\Downloads\zoek.exe => ":BDU" ADS removed successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 58159537 B
Java, Flash, Steam htmlcache => 19264735 B
Windows/system/drivers => 33119152 B
Edge => 55896964 B
Chrome => 21116041 B
Firefox => 0 B
Opera => 22846754 B
 
Temp, IE cache, history, cookies, recent:
Default => 7168 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 158539 B
LocalService => 28676 B
NetworkService => 270300 B
defaultuser0 => 587916 B
omark => 188563287 B
 
RecycleBin => 0 B
EmptyTemp: => 381.5 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 15:27:44 ====


#8 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:14 AM

Posted 23 January 2017 - 09:32 AM

Hello,

:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

---


:step3: How the computer is running now?


---


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 NairyHipple

NairyHipple
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 23 January 2017 - 09:39 AM

Hi Jo! I don't know what happened but after following one of the steps you told me up there, I'm actually not experiencing any of that redirecting malware anymore?! I don't know which exactly solved it but I can guarantee you its not there anymore. I've been surfing the web peacefully for almost an hour now? AHAHAHA i think its solved but not particularly sure what solved it. THANK YOUU! 



#10 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:14 AM

Posted 23 January 2017 - 09:42 AM

Ok, fine but run the scans as instructed with post #8 now!

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:14 AM

Posted 26 January 2017 - 01:44 AM

Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Thread will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#12 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:14 AM

Posted 01 February 2017 - 02:05 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users